Skip to main content
AirGapNetPhysical network isolation
← BlogConceptFebruary 20267 min read

Air gap vs network segmentation: when to use which

Both isolate, but they answer different questions. Segmentation asks who may use a path; an air gap asks whether the path exists. Pick the right tool — usually both, in different parts of the diagram.

Segmentation asks who may use a path. An air gap asks whether the path exists. The two are not competitors — they answer different questions about the same network.

In this article

Section 01

What each one actually does

Network segmentation is the discipline of splitting a flat network into smaller zones connected by software-defined rules. VLANs, firewalls between zones, SDN micro-segmentation, identity-based access — all variations on the same theme. The path between zones exists; the policy decides which packets cross it.

An air gap removes the path. There is no link between the isolated network and the rest of the world; if data must move between them, a human or a hardware switch carries it. The classical air gap is permanent (think SCIFs and classified networks). The kind AirGapNet implements is per-line and time-boxed — the gap is the default state, and a defined maintenance window is the exception.

Section 02

When segmentation is the right tool

Most traffic on a corporate or operational network needs to flow continuously. Email, file sync, application traffic between microservices, payroll systems talking to HR. For all of this, segmentation is the right shape: the path stays up, policy gates who can use it, and most of the time the policy is correct.

Segmentation also adapts well to identity. Zero-trust architectures lean on identity-aware proxies and short-lived tokens because the traffic is continuous and the question is always 'who is this request from'. Air gaps cannot answer that question — they only answer 'does the path exist'.

  • Continuous traffic

    Email, sync, app-to-app — anywhere a closed line would break normal operations every minute.

  • Identity-gated decisions

    Most internal access is about who, not whether. Software gates handle 'who' well.

  • Frequent policy updates

    Rule changes happen weekly. Software-defined gates are mutable in the way you want for this.

Section 03

When an air gap earns its keep

Service paths that should be reachable only during a defined window are the wrong shape for segmentation. The vendor maintenance VPN, the backup target line, the admin tunnel to a financial gateway, the update channel to an OT controller — for these, the question is not 'who may use the path' but 'should the path exist right now at all'.

Segmentation gates the question of 'who'. An air gap gates the question of 'whether'. The two questions are not interchangeable. A misconfigured firewall on a maintenance path still leaves the path up; a misfiring relay on the same path leaves the path down, which is the safe state.

Section 04

The hybrid pattern

In practice, regulated networks do not pick one. They use segmentation for the 90% of traffic that flows continuously, and physical breaks on the handful of service paths that should not. Backup writes go to a target behind an AGN1; the rest of the storage tier sits behind the normal firewall. Vendor maintenance lines are physical-break-by-default; the rest of OT traffic is segmented into Purdue layers.

Auditors recognize both. NIST 800-82 and IEC 62443 both call out segmentation as a baseline and treat physical isolation as the stronger control where the path does not need to be continuously available. The right answer is usually 'both, in different parts of the diagram'.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles